In April 2009 I had some interesting work with the Alberta Urban Municipalities Association (AUMA-AMSC) in Edmonton. This diverse organization has a twin mandate – both advocacy and services – for local governments. The task was to get Enterprise Risk Management up and running.
Ken Baker, Controller, was project lead. He asked that we start with a plenary session, not to cover the theory of ERM, but rather to explain what it would mean in practice. In my presentation I focused on a few key messages before we began work:

a) Risk management is not a substitute for environmental scan and planning. Substantially known trends and conditions are not risks, they are facts. The risk is that the plans to meet them will be, for one reason or another, unsuccessful.

b) Established disciplines within the purview of risk management should not be mixed up in the same exercise. Each has their own nuances and categories of analysis. For example, IM/IT security and Business Continuity/Emergency Planning are two distinct things – even though they need to be coordinated in an overall ERM framework.

c) Scope, organizational boundaries, level (strategic vs. operational), time frame and stakeholder and client group analysis – all these need definition in a context paper for any given risk assessment. If not, assumptions on all those items keep invisibly shifting in the minds of participants – whether you are conducting interviews or a round table session. Failure to properly establish context always leads to mushy (that seem to be the best word for it) risk information.

After having checked context papers, mostly done by email as pre-work before I arrived on site, I led risk ID sessions with each working group. The content was varied and challenging, including benefits services, claims management, an energy (electricity and natural gas commodities) aggregation program, and IT systems. My role, after clarifying working principles, was to facilitate sessions –which means demonstrate the process and transfer capacity. Ken posted documents and templates on a Sharepoint site, and coordinated the successive work of departments.

Results

CEO John McGowan reported in the internal staff newsletter Between the Lines, April edition:

“the Directors of the first four participating departments were tasked with identifying the details of their operations in a context paper. This was followed by individual departmental sessions with the teams where a facilitator helped each group identify its own risks… According to one participant this had a ‘cathartic effect’ and left the teams with a new positive impression that ERM would assist them in the quality of decision-making, not create extra work.”

Next Steps

In later talks with Ken, we did some analysis and interpretation of the aggregate results. Those “cathartic” departmental sessions actually came together to paint a clear picture of critical aspects of the AUMA-AMSC operational risk profile. Ken has said that the next logical step is to conduct a strategic risk assessment at the board/exec level.

This shows that you can start at the operational level and implement ERM rapidly and with a minimum of bureaucratic overlay – the essential point is to prove and validate the core risk assessment methodology. I would recommend also conducting future scenarios planning at the strategic level to cover extreme conditions on critical business factors.

[Revised. Originally published 07 May 2010]

UPDATE: Ken Baker has subsequently become ERM Program Manager at City of Edmonton.